en: Add a doc about how to run as non root user (#2742)

Author: Oreoxmt

en/TOC.md

@@ -0,0 +1,29 @@
+<!-- markdownlint-disable MD007 -->
+<!-- markdownlint-disable MD041 -->
+
+- [TiDB on Kubernetes Docs](https://docs.pingcap.com/tidb-in-kubernetes/dev)
+- Introduction
+- Deploy
+    - On Self-Managed Kubernetes
+- Monitor and Alert
+- Migrate
+    - Migrate from MySQL
+- Manage
+    - Security
+      - [Run Containers as a Non-Root User](containers-run-as-non-root-user.md)
+    - Upgrade
+        - Upgrade TiDB Operator
+    - Backup and Restore
+        - Amazon S3 Compatible Storage
+        - Google Cloud Storage
+        - Azure Blob Storage
+        - Persistent Volumes
+        - Snapshot Backup and Restore across Multiple Kubernetes
+    - Maintain
+        - Replace Nodes for a TiDB Cluster
+    - Disaster Recovery
+- Troubleshoot
+- Reference
+    - Architecture
+    - Tools
+    - Configure

en/containers-run-as-non-root-user.md

@@ -0,0 +1,59 @@
+---
+title: Run Containers as a Non-Root User
+summary: Learn how to run containers as a non-root user in a Kubernetes environment.
+---
+
+# Run Containers as a Non-Root User
+
+In some Kubernetes environments, containers cannot be run as the root user. For security reasons, it is recommended to run containers as a non-root user in production environments to reduce the risk of potential attacks. This document describes how to configure containers to run as a non-root user using the [`securityContext`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod).
+
+## Configure containers related to TiDB Operator
+
+For TiDB Operator containers, configure the `securityContext` in the Helm `values.yaml` file.
+
+The following is an example configuration:
+
+```yaml
+controllerManager:
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 2000
+    fsGroup: 2000
+```
+
+## Configure containers generated by CR
+
+For containers generated by Custom Resources (CRs), configure the `securityContext` in any CR, such as `PDGroup`, `TiDBGroup`, `TiKVGroup`, `TiFlashGroup`, `TiCDCGroup`, `Backup`, `CompactBackup`, `BackupSchedule`, or `Restore`.
+
+- For CRs such as `PDGroup`, `TiDBGroup`, `TiKVGroup`, `TiFlashGroup`, and `TiCDCGroup`, configure the `securityContext` using the Overlay method. The following is an example configuration for the `PDGroup` CR:
+
+    ```yaml
+    apiVersion: core.pingcap.com/v1alpha1
+    kind: PDGroup
+    metadata:
+      name: pd
+    spec:
+      template:
+        spec:
+          overlay:
+            pod:
+              spec:
+                securityContext:
+                  runAsUser: 1000
+                  runAsGroup: 2000
+                  fsGroup: 2000
+    ```
+
+- For CRs such as `Backup`, `CompactBackup`, `BackupSchedule`, and `Restore`, configure the `podSecurityContext` in the `spec` field. The following is an example configuration for the `Backup` CR:
+
+    ```yaml
+    apiVersion: br.pingcap.com/v1alpha1
+    kind: Backup
+    metadata:
+      name: backup
+    spec:
+      podSecurityContext:
+        runAsUser: 1000
+        runAsGroup: 2000
+        fsGroup: 2000
+    ```